[Dataloss] Best Western Response

Jamie C. Pole jpole at jcpa.com
Tue Aug 26 22:22:01 UTC 2008 

Sounds great to me...

I encounter the same problem in the Defense space.  They are very much  
beholden to STIGs and checklists - and I have never caught a hacker in  
possession of either.

This is the difference between security assessment and automated  
compliance testing.  Automated compliance testing (seemingly the  
majority of PCI DSS at this point) can only measure compliance with an  
arbitrary (and outdated, outmoded, obsolete, etc.) baseline.  Security  
assessment SHOULD throw convention to the wind in favor of adopting  
the same mindset as the hacker community.  Any truly competent  
security consultant should be able to do this.

I agree that some "lowest common denominator" can be helpful, but not  
at the expense of and actual security program.  Too many processors  
take their PCI certificate "to the bank", and don't seem to bother  
doing anything else.

That is the fatal flaw in the program.

In addition, the way the PCI QSA program is structured ensures that  
competent security consultants will stay out of it.  Why would anyone  
want to sign on to a program where you have essentially unlimited  
liability, but are forced to base your certification decisions on a  
ridiculous standard?  AND you have to pay them $20,000 initially, and  
$10,000 per year afterward...  Where does that money go???

Your comment about breaching other environments compliant with  
applicable standards is right on the mark.  A rigid standard is not  
the answer to this problem.

Jamie



On Aug 26, 2008, at 6:02 PM, Daniel Clemens wrote:

>
> Better yet, when have you done any penetration testing engagement  
> where the client was 'Compliant with x and y regulation and or  
> standard' and you still gained access? (Probably almost every time  
> or at worst 85% of the time)
>
> This is the exact reason why penetration testing and hacking will  
> almost always win over an institutionalized process and or standard.
> Penetration testing (or whatever you want to call it now days) does  
> not equate to a 'completely formal audit' which I think the PCI (PCI  
> Scanning companies) standards and all the 'certified ethical hacker  
> mindsets'  seem to confuse. They are similar , but they are not the  
> same.
>
> What I think the real complaint is about, -  is the fact that there  
> is a watered down Carolyn Meinel / JP happy hacker mindset which has  
> successfully infected all that follow the logic that security  
> equates to an exact science when fighting against creative minds.
>
> So there , I said it. :P
>
> | Daniel Uriah Clemens
> | http://bits.packetninjas.org
> "Imagination is more important than knowledge."-- Albert Einstein
>
>
>
>
>
>
>
>

More information about the Dataloss mailing list